ClawHub

TBD Prediction Market Agent

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed prediction-market helper, but it can automate real USDC betting without clear per-bet approval or strong API-key safeguards.

Install only if you intentionally want an agent to help with real-money USDC prediction-market betting. Use a dedicated low-balance account, keep the API key out of logs and shell history, review the strategy file, and require explicit approval plus hard spending limits before enabling any autonomous loop.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs an autonomous loop that repeatedly checks balance, analyzes campaigns, and places bets, but it does not require a fresh user confirmation before each fund-affecting action or prominently warn that real USDC will be spent. In an agent setting, this materially increases the risk of unintended financial loss, especially because the loop is framed as a normal orchestrated workflow and includes repeat behavior.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The raw HTTP fallback shows direct use of a bearer API key and a POST request that places real-money bets, but it does not include strong guidance on secret handling, confirmation, or the financial consequences of the action. This makes accidental credential exposure and unintended spending more likely, particularly for agents that may log commands or surface them to users.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal